Understanding HIPPA: Patient Privacy Laws for Medical Aesthetics

Monday, November 7, 2016

By: Alex Thiersch

Like millions of other businesses, medical aesthetic practices and medspas often use social media channels—such as Twitter, Facebook and Instagram—to increase brand awareness, promote new services, and strengthen the bond between providers and patrons. Unlike other service- and product-based businesses, medical practices and medspas are bound by patient privacy regulations set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). And it is shockingly easy for a practice to expose itself to HIPAA violations through social media activity.

HIPAA Basics

HIPAA is a piece of legislation that regulates the many ways in which the business of health care is conducted in the U.S. Since its adoption, however, it has become virtually synonymous with the issue of patient privacy. HIPAA’s Patient Privacy Rule prohibits medical institutions from sharing protected health information, which it defines as anything that can be used to identify a patient. This can include an email address, street address, name, birth date, Social Security number, etc. All of this information must be kept completely confidential.

Medical facilities that violate HIPAA’s Patient Privacy Rule may be subject to substantial fines—sometimes in the hundreds of thousands of dollars per violation. Additionally, many states enforce even stricter patient privacy statutes, so practices and medspas must take great care to protect their patients’ identities and healthcare information.

Social Media Guidelines

There are three major ways that medical aesthetic facilities and medspas can violate patient privacy laws through the use of social media.

Publicly reaching out to a patient. If you are connecting with patients via a social media channel, such as Facebook or Twitter, it might seem like a good idea to reach out to them after a visit to thank them for coming in. This can help build a relationship by showing your gratitude for their patronage and entice their friends to learn more about your services. Unfortunately, this seemingly innocuous act may constitute a HIPAA violation, because you have revealed that person is one of your patients.

You can thank your patients via social media by using the private messaging feature of whichever social media platform you are using. However, the safest avenue to follow-up with patients while protecting their privacy is through a handwritten note, personal email or direct phone call.

Publicly responding to a positive comment from a patient. Let’s say that one of your patients posts the following on your practice’s Facebook wall: “Had a great Botox treatment here today!” You may be inclined to post a response, such as: “Thanks! We hope to see you again soon!” Though it appears harmless, even this response can represent a breach of patient privacy, because you have confirmed that this person is a patient of your practice.

This is an emerging legal issue that has yet to be put to the test by litigation, and it could be argued that by publicly posting that message the patient is tacitly waiving his or her HIPAA protection. Unfortunately, HIPAA and other state-based privacy laws are very strict, so it’s probably not a good idea to test them.

You can avoid this trap by stating on your social media channels that, although you appreciate all comments and feedback from patients, the best way to deliver them is via email or to call the practice directly. This way, you do not appear unappreciative yet you reduce your potential exposure to patient privacy violations. Alternatively, you can draft a form acknowledging that the patient wishes to waive his or her HIPAA protection for social media communication. If you choose to follow this route, the release form should be created or reviewed by a healthcare attorney.

Responding to negative reviews. Yelp is a social media service that allows users to rate the experiences they have with businesses. As of the fourth quarter of 2015, more than 86 million unique visitors per month use mobile devices and 75 million unique visitors per month use desktop computers to refer to Yelp’s more than 95 million user-generated reviews, so make no mistake: This service is immensely powerful. The success or failure of a business can be determined by its Yelp reviews alone.

The site encourages businesses that are critiqued to become part of conversation by allowing owners and operators to respond to reviews and engage with users. This provides most businesses recourse for dealing with problematic Yelp reviews—they can openly engage critical users through the service and attempt to address the customer’s concerns or demonstrate that they’ve done nothing wrong. The owners and operators of medical aesthetic practices and medspas, however, should not respond to these posts. If they do, they risk identifying unhappy users as patients, thereby violating patient privacy statutes.

The best way for practices to combat bad Yelp reviews—the only way, really—is to encourage satisfied patients to post positive reviews. It’s no surprise that given the importance of Yelp and the lack of a level playing field regarding its reviews, owners and operators of medical aesthetic facilities may be tempted to engage in what is known as “astroturfing”—using employees or associates to post fake positive reviews in order to bolster ratings. However, they must resist that urge, as this action can be interpreted as consumer fraud. In fact, New York state regulators recently issued enormous fines to several facilities for astroturfing.

Social media is a valuable marketing tool for aesthetic practices and medspas, but the significant cost of Patient Privacy Rule violations—both financial and to one’s reputation—necessitates careful oversight and training. Practice owners and operators should make sure that everyone involved in their social media campaigns—as few people as possible, ideally—understand that it is critically important to respect and protect patient privacy at all times and in all communications.